Files
infra/ai-memory/project_novacpx_todo.md
T
myron 52f6073593 Add Claude Code AI memory files
AI context/memory from Claude Code sessions covering all
infrastructure: JARVIS, NovaCPX, DO sites, Proxmox, FusionPBX,
MediaStack, and project feedback/preferences.
2026-06-26 03:06:26 +00:00

9.8 KiB

name, description, metadata
name description metadata
project-novacpx-todo NovaCPX numbered TODO list — reference by number when requesting work
node_type type originSessionId
memory project c454fc50-f93d-4ddd-b9f3-f3f442e89fb9

NovaCPX pre-production TODO. Reference items by number (e.g. "work on #3").

🔴 CRITICAL — Blocking for any real use

#1 — Auto-deploy pipeline on VM DONE Webhook at https://10.48.200.110:8882/deploy/webhook.php. GitHub webhook fires on push to main or beta. Deploy-runner.sh cron every minute processes queue. Accepts both main+beta branches; reads update_channel from DB to pull correct branch.

#2 — Sessions table in schema DONE Confirmed sessions table exists. Also added settings and api_tokens tables.

#3 — End-to-end account creation test DONE Fixed: systemd ProtectSystem=full blocked /etc writes. Fixed: sudo mkdir/chown needed for home dir setup. All working: Linux user + home dir + public_html + vhost + DNS zone + Apache serving.

#4 — Mail server virtual domain config DONE vmail user + /var/mail/vhosts. Postfix + Dovecot fully wired.

#5 — DNS zone files working DONE named running, dig @localhost verified, AppArmor allows reads.

#6 — Let's Encrypt SSL tested live DONE (infrastructure verified) Certbot 2.9.0 installed. Will work with real public domains.


🟡 IMPORTANT — Needed before real traffic

#9 — Password change DONE #10 — Webmail SSO DONE #11 — DKIM provisioning DONE #12 — File manager security audit DONE #13 — PHP syntax guard on admin.js load DONE #7 — User/reseller panel pages connected to real data DONE #8 — Reseller account isolation audit DONE


🟠 FEATURES — Expected in beta

#14 — WordPress Manager DONE (backend + admin UI) #15 — Backup system DONE #16 — Cloudflare API integration DONE #17 — Two-factor auth (TOTP) DONE

#18 — Reseller white-label DONE reseller_branding table, branding.php endpoint, _branding.php server-side helper.

#19 — Server monitoring charts DONE server_stats table + collect-stats.php cron (every 5 min). Chart.js lazy-loaded.

#20 — Cron job manager (user panel) DONE #21 — Package limits enforcement DONE #22a — Multiple FTP server options DONE #22b — WHMCS billing bridge DONE #22c — Multiple mail server options DONE #22d — Multiple web server options DONE #22e — DNS options + NS health checker DONE


🔵 POLISH — Pre-production

#23 — Documentation DONE #24 — Audit log UI DONE #25 — Email notifications DONE #26 — Mobile-responsive CSS pass DONE #27 — Custom error pages DONE #28 — API rate limiting middleware DONE #29 — Session management UI DONE #30 — Installer idempotency DONE


🐳 DOCKER — Tiered container management

#31-35 — Docker Engine + admin/reseller/user panels DONE DockerManager.php. 140-app catalog across 15+ categories. "My Apps" tab backed by docker_compose_stacks (not docker_containers). Async background launch with nohup. Email domain dropdown (local-part + domain select from DB).

Docker catalog history:

  • Initial: 9 apps (wordpress, ghost, nextcloud, gitea, matomo, vaultwarden, nodejs, flask, static)
  • 2026-06-09: Expanded to 60 apps (added monitoring, wiki, messaging, security, business, design categories)
  • 2026-06-10: Expanded to 140 apps (added AI/LLM, dev tools, databases, networking, CMS/commerce, project mgmt, communication, file/storage, ERP/business, media, smart home, dashboards)

Per-account uninstall DONE (uninstall-account API, user panel "Remove All My Apps" button) Per-stack Reinstall DONE (Reinstall button in stacks table, stack-reinstall API, pull→down→up) Admin App Catalog tab DONE (launch apps on behalf of accounts from admin Docker page)


🛠️ ADMIN ROOT CONTROLS (added 2026-06-20)

#41 — phpMyAdmin root section DONE Quick-access buttons + tool cards in DB Manager (mysql-manager page). phpMyAdmin at /phpmyadmin, Adminer at /adminer.php. db-tools API detects installed tools and serves URLs.

#42 — Docker root GUI DONE Full docker page: containers, images, volumes, networks, compose stacks, app catalog, user quotas. All actions (start/stop/remove/logs/inspect) work. Sync-orphans endpoint for post-restore.

#43 — PostgreSQL root GUI DONE Adminer installed at /adminer.php (handles MySQL + PostgreSQL). Separate PostgreSQL Databases section in DB Manager with direct Adminer PG link. db-tools API detects adminer.php.

#44 — Mail server root controls DONE mail-server page: service controls (postfix/dovecot/rspamd), mail queue viewer + flush, virtual mail domains list with email counts, mail log tail.

#45 — FTP controls section DONE ftp-server page: FTP service status + restart/reload/stop, all FTP accounts from DB with username/directory/permissions.

#46 — Nginx proxy controls DONE nginx-proxy page: comprehensive proxy host management with add/edit/delete, upstream sync, settings, setup guide.

#47 — Web server root controls DONE web-server page: CPU/RAM/disk/uptime stats, services with restart/reload/stop, PHP defaults, log viewer (nginx-error/access/panel/deploy).


#49 — Disable/remove conflicting web servers on install DONE (install.sh updated)

#51 — Server settings sections in admin panel DONE All service pages exist in admin: web-server (#47), mail-server (#44), ftp-server (#45), docker, mysql-manager, nginx-proxy, firewall, fail2ban. Each shows install/running status.

#50 — Post-restore automation script DONE (v2) /usr/local/bin/novacpx-post-restore at deploy/novacpx-post-restore.sh: fixes config.ini, cleans orphaned pools, bumps PHP-FPM max_children, pulls latest code+migrations, cleans orphaned DB users before creating webacct, deploys dashboard+notes, Basic Auth, disables Apache2. --no-git flag available.

#48 — Collapsible sidebar navigation DONE CSS in nova.css, JS in nova.js (_initCollapsibleNav exposed on window). Admin: runs on DOMContentLoaded. Reseller + user: called after renderRNav()/renderNav(). State persisted in localStorage.


🆕 NEW FEATURES (added 2026-06-20)

#36 — Sub-domains section DONE Admin: global view across all accounts. Reseller: filtered to their customers. User: create/remove own subdomains. Backend was already in domains.php (add-subdomain, list, remove).

#37 — Parked domains section DONE Admin: global view across all accounts. Reseller: filtered to their customers. User: park/remove domains. Backend was already in domains.php (add-alias, list, remove).

#38 — Settings section (account-level) DONE User panel Account > Settings: shows account info, resource usage gauges, PHP config (version/memory/upload/exec time), quick links to SSL/2FA/password change.

#39 — Default index file on new account DONE AccountManager now creates a dark-themed modern index.html on account creation. Admin can set a custom HTML template in Server Options (default_index_template setting, {domain}/{username} placeholders). Falls back to built-in if none set.

#40 — Linux uninstaller DONE uninstall.sh at repo root. Full backup → confirmation → removes accounts/users/pools/vhosts/systemd/sudoers/cron/DKIM/DNS/postfix/fail2ban/all dirs. Prints scp + temp HTTP download options. --yes flag to skip confirm. Usage: bash uninstall.sh [--yes]


🔒 SECURITY FIXES (2026-06-09, code review)

Shell injection fixes DONE

  • WordPressManager.php: escapeshellarg() on all exec() paths in cloneStaging(); delete() reordered (DB first, filesystem second)
  • PHPManager.php: sudo rm -f for FPM pool deletion (www-data can't unlink root-owned files); SQLite syntax for updateConfig()
  • WP-CLI download: 30s timeout + 100KB size validation

install.sh sudoers hardening DONE

  • Replaced ufw * wildcard with 9 specific subcommands
  • Removed curl * NOPASSWD entirely (code doesn't need it)
  • Removed env * NOPASSWD entirely (security risk)

🔧 RECENT FIXES (2026-06-09/10)

SSL cert SAN DONE Cert regenerated with subjectAltName=IP:10.48.200.110 — required for Chrome fetch() to work.

Update caching + nightly cron DONE check-novacpx-update + check-os-update cache in settings table (12h TTL, ?force=1 bypass). Nightly cron at 2am: /srv/novacpx/public/bin/cache-update-check.php.

OS upgrade script DONE Fixed date format bug (date -u +"%H:%M:%S UTC"). Fixed backup dir (/tmp/novacpx-backup-TIMESTAMP instead of /var/novacpx/).

SEO meta tags DONE All 3 panel index.php files have description, keywords, robots=noindex,nofollow.

Version tracking DONE deploy-runner.sh and apply-novacpx-update both write to novacpx_version table + settings.panel_version after every deploy. Current: 1.0.27.

VERSION file sync DONE (2026-06-10) deploy-runner.sh now copies VERSION from repo root to /srv/novacpx/public/VERSION after each deploy.

Update channels (stable/beta) DONE Settings page loads/saves channel from DB. check-novacpx-update reads channel and checks correct remote branch. apply-novacpx-update pulls from correct branch. deploy-runner.sh reads channel from DB. beta branch created on GitHub. GitHub Actions auto-bumps: main→PATCH, beta→-beta.N.

Settings page DB sync DONE settings() function loads panel_name, default_php, nameservers, update_channel from server-options API. Saves via save-option API on submit.

JARVIS agent DONE Installed 2026-06-09. Agent ID: novacpx_e3b07264. Online and reporting.

Parker Slingshot JARVIS monitoring DONE Updated from parkerslingshot.epictravelexpeditions.com → parkerslingshotrentals.com in facts_collector.php, alerts.php, do_server.php.